6 - Secure Coding Flashcards

Summarize secure application development, deployment, and automation concepts; analyze indicators of application attacks; be able to implement host or application security solutions

1
Q

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?

A

Static Code Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Charles is worried about his users conducting SQL-injection attacks. What solution would BEST address his concerns?

A

Regularly perform User Input Validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Precompiled SQL statements that only require variables to be input are an example of what type of application security control?

A

Parameterized Queries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?

A

“Improper Error Handling”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the app have?

A

A Race Condition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Every time Susan checks code into her org’s code repository, it is tested and validated, and (if accepted), it is IMMEDIATELY put into production. What is the BEST term for this sequence?

A

Continuous Delivery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?

A

Development Environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What software development model focuses on the early and continuous delivery of software?

A

Agile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Kevin would like to ensure that his software runs on a platform that is able to expand and contract as his org’s needs change. What term best describes his goal?

A

Elasticity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the advantages of database normalization?

A

Normalization prevents data inconsistencies, reduces the need for reconstruction, and makes the schema more informative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What data minimization technique replaces personal identifiers with unique identifiers that may be cross-referenced with a lookup table?

A

Tokenization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Frank is investigating a security incident where an attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?

A

Buffer Overflow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?

A

Man in the Middle (MitM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Tom is a developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?

A

Code Signing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?

A

DOM-Based XSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Joe checks his web server logs and sees someone sent the following query string to an application running on the server:
http://www.mycompany.com/servicestatus.php?serviceID=12376129786696783’ ; DROP TABLE SERVICES;–
What type of attack was most likely attempted?

A

Parameter Pollution

17
Q

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address, with only one number difference between the lot of them. What type of VULNERABILITY was the attacker trying to exploit?

A

Insecure Drop Object Reference

18
Q

Joe’s adventures in the web server log analysis are not yet complete. As he continues to review the log’s, he finds the following request:
http://www.mycompany.com/../../../../etc/passwd
What type of attack was most likely attempted?

A

Directory Traversal

19
Q

Wendy is a penetration tester who wishes to engage in session hijacking. What info is crucial for Wendy to obtain if her attack is to be successful?

A

Session Cookies

20
Q

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string [WAITFOR]. What type of attack was the user likely attempting?

A

Timing-Based SQL Injection